AWS distinguished engineer Eric Brandwine speaks with hundreds of customers each year, and noticed one question coming up more than any other, "How does AWS operationalize its own security?" In this session, Eric details both strategic and tactical considerations, along with an insider's look at AWS tooling and processes.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
N o v e m b e r 3 0 , 2 0 1 7
The AWS Philosophy of Security
SID322
Eric Brandwine, AWS VP and Distinguished Engineer

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Some Context

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Do You Do Security?
'Cause I want to security, too!

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is This System Secure?
?

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Is Easy…

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Usable Security Though…

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
It is the goal of every security
organization to build a system that,
over time, maximizes the delivered
customer value while minimizing
the cost of that delivery.

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rejected Takeoff
6

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A List
No pre-flight checklist
No abort when they spot the lock warning light
No abort when they can't throttle up
Use of the auto throttle to attempt to throttle up
FPSOV pulled despite not being on any procedure

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The boss will be angry because we have
to abort takeoff. That means we will be
late, and might even miss our clearance
window and be even later.
Maybe we will all die.
or

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A review of data from the airplane’s quick
access recorder revealed that the pilots
had neglected to perform complete flight
control checks before 98% of their
previous 175 takeoffs in the airplane,
indicating that this oversight was habitual
and not an anomaly.

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“The gradual process through which
unacceptable practice or standards
become acceptable. As the deviant
behavior is repeated without
catastrophic results, it becomes the
social norm for the organization.”

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
http://science.ksc.nasa.gov/shuttle/missions/
51-l/docs/rogers-commission/Appendix-F.txt

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
That's how we've always done it.
Nothing bad has ever happened.
I don't think that's how
{humanity/society/the internet} works.

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Democracy is the worst
form of government,
except for all the others.
—Winston Churchill

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Humans are the worst
way to put together a
security team, except for
all the others.
—not Winston Churchill

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What's a Security Guy to Do?
• Calibrate objectively
• Invite (appropriate) outside scrutiny
• Account for the humans in your system
• Service teams
• The Security team
• Customers
• Adversaries
• You

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Some
Lots
Many

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
"Security and operational
excellence are job zero."

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Escalate!

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ownership
Leaders are owners. They think long term and don’t
sacrifice long-term value for short-term results. They act
on behalf of the entire company, beyond just their own
team. They never say, “that’s not my job."

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Earn Trust
Leaders listen attentively, speak candidly, and treat
others respectfully. They are vocally self-critical, even
when doing so is awkward or embarrassing. Leaders do
not believe their or their team’s body odor smells of
perfume. They benchmark themselves and their teams
against the best.

36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Obsession
Leaders start with the customer and work backwards.
They work vigorously to earn and keep customer trust.
Although leaders pay attention to competitors, they
obsess over customers.

37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Measure Everything
and
Report On It

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The primary virtue of the programmer is laziness.
—not quite Larry Wall
“Good intentions never work, you need good
mechanisms to make anything happen.”
—Jeff Bezos

39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
0
10
20
30
40
50
60
0-30 30-60 60-90 90+
NumberofReviews
Days Stale
AppSec Review Staleness

40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Insist On the Highest Standards
Leaders have relentlessly high standards—many people
may think these standards are unreasonably high.
Leaders are continually raising the bar and driving their
teams to deliver high quality products, services, and
processes. Leaders ensure that defects do not get sent
down the line and that problems are fixed so they stay
fixed.

42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Measure Everything
and
Report On It
and
Take an SLA

43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
It is the goal of every security
organization to build a system that,
over time, maximizes the delivered
customer value while minimizing
the cost of that delivery.

45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
Time
Lots

46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Least Privilege
=
Maximum Effort

47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prevention
Analysis Response
Detection

48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
… even well-meaning gatekeepers slow
innovation. When a platform is self-service, even
the improbable ideas can get tried, because
there’s no expert gatekeeper ready to say “that
will never work!” And guess what—many of
those improbable ideas do work, and society is
the beneficiary of that diversity.

49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prevention
Analysis Response
Detection

50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Should I Automate?
?

51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is Your System Real-Time?
Maybe?

52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prevention
Analysis Response
Detection

53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“The gradual process through which
unacceptable practice or standards
become acceptable. As the deviant
behavior is repeated without
catastrophic results, it becomes the
social norm for the organization.”

54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 12/31/2017

55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 12/31/2017

56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 1/5/2018

57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 1/5/2018
1/3/2018

58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 1/5/2018
12/5/2017
11/5/2017
10/5/2017
9/5/2017

59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Action Items
Do the thing you signed up to do 1/5/2018
7/5/2017

60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Short Version
• Humans are weird
• Account for them, you can't patch them
• Security is everyone's job
• Saying it doesn't make it true
• Measure objectively
• Security is all about efficiency
• Guard your resources, especially your humans

61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!